Cyberoam Release Notes

Release Notes Version: 10.00

Release Dates
Version 10.00 Build 232 – 23rd April, 2010 (CR15i appliances)
Version 10.00 Build 231 – 20th April, 2010 (CR15wi appliances)
Version 10.00 Build 230 – 17th April, 2010 (CR25i appliances)

Release Information
Release Type: General Availability
Compatible versions: 9.6.0.78 – CR25i
9.5.8.68 – CR15i
CR15wi models will be shipped with this version only.
Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license
Applicable to: Cyberoam Appliance models – CR15wi, CR15i and CR25i

Upgrade procedure

NOTE: after upgrading to V10, it is not possible to rollback to V9

1. Go to Web Admin Console and take backup of v 9.6.x.x from System > Manage Data >
Backup Data. For real-time conversion of v9 backup to v10 compatible backup, browse
to data migration site (http://v9migration.cyberoam.com) and upload v9 backup file.

Note: If you are upgrading fresh v9.x appliance i.e. without custom configuration
and data, skip step 1.
2. Download Appliance model-specific firmware from http://customer.cyberoam.com.
3. Upload the firmware (downloaded in step 2) from Web Admin console (menu Help >
Upload Upgrade).
4. Once the file is uploaded successfully, log on to CLI console and go to the menu
“Option 6 Upgrade Version” and follow the on-screen instructions to upgrade.
5. Appliance will be uploaded with factory default firmware i.e. appliance will come up with
the factory default setting.

Note: If you are upgrading fresh v9.x appliance i.e. without custom configuration
and data, skip rest of the steps. After this step, your appliance is ready for use.
6. Restore the v10 compatible backup from Web Admin console (menu System >
Maintenance > Backup & Restore)
7. To view the version 9.x reports, browse to http://<Cyberoam IP>/reports and to view
reports generated after version upgrade go to Logs & Reports > View Reports. This
option will not be available for CR15i models.
8. To view the version 9.x quarantined mails go to Antivirus > Quarantine > V 9 Quarantine
while to view the mails quarantined after version upgrade go to Antivirus > Quarantine >
Quarantine. This option will not be available for CR15i models.

Compatibility issues
Appliance model-specific firmware and hence firmware of one model will not be applicable
on another model. Upgrade will not be successful and you will receive error if you are trying
to upgrade Appliance model CR100i with firmware for model CR500i.

Document version –3.0-23/04/2010

 Cyberoam Release Notes

Contents

Release Dates ...........................................................................................................1

Release Information ..................................................................................................1
Introduction................................................................................................................4
Features and Enhancements ....................................................................................4
1. Wireless LAN support (for CR15wi models only) .............................................4
Configuration....................................................................................................4
2. Email Archiving (for CR15wi, CR 15i, CR25i models only) ..............................4
Configuration....................................................................................................5
3. DHCP Server Logs (for CR15wi, CR 15i, CR25i models only) ........................5
4. Firmware-based Upgrades...............................................................................5
5. GUI Revamp ....................................................................................................5
6. GUI Themes.....................................................................................................5
Configuration....................................................................................................5
7. Role Based Access Control .............................................................................5
Configuration....................................................................................................6
8. Multiple Authentication support ........................................................................6
Configuration....................................................................................................6
9. Thin Client Support ..........................................................................................6
Configuration....................................................................................................7
10. IM Logging and Control for Yahoo and WLM...................................................7
Configuration....................................................................................................7
Limitations ........................................................................................................7
11. IPv6 Traffic Forwarding support .......................................................................7
Configuration....................................................................................................8
12. SSL VPN Updates............................................................................................9
12.1 Application Access Mode ...................................................................9
12.2 Save User Credential option for Remote Users .................................9
12.3 Auto-start SSL VPN connection.........................................................9
13. 3G device support on WAN............................................................................10
Configuration..................................................................................................10
14. Integration with Cyberoam-iView for Logging and Reporting.........................10
15. Customer My Account Portal for Registration & Subscription........................11
16. External Authentication support for Administrator..........................................11
17. Support to mitigate HTTP-based DDos Attack...............................................11
Configuration..................................................................................................11
18. Traffic Inspection on non-standard ports........................................................11
Configuration..................................................................................................12
19. Protection of BGP Sessions via the TCP MD5 Signature ..............................12
Configuration..................................................................................................12
20. Module level Logging capability .....................................................................12
21. Miscellaneous Enhancements .......................................................................12
21.1 100+ Applications filter support........................................................12
21.2 Web filter support.............................................................................13

Document version –3.0-23/04/2010

 Cyberoam Release Notes

21.3 Configurable Automatic Updates of Web Categories & IPS Signature

database ..........................................................................................13
21.4 Support for Firewall rule Name ........................................................13
21.5 Appliance Management from Dashboard ........................................13
21.6 Global Administrator support ...........................................................13
21.7 Captive Portal page components customization support .................13
21.8 Packet Capture log ..........................................................................14
21.9 Automatic Certificate regeneration on modification..........................14
21.10 Appliance Access bypass check (for CR15wi, CR 15i, CR25i models
only) .................................................................................................14
Feature removed .....................................................................................................14
1. CLI option “Remove Firewall Rules” (for CR15wi, CR 15i, CR25i models only)
14
General Information.................................................................................................15
Technical Assistance...............................................................................................15
Technical Support Documents ................................................................................15

Document version –3.0-23/04/2010

 Cyberoam Release Notes

Introduction
This document contains the release notes for Cyberoam version 10.00. The following
sections describe the release in detail.

This will be a key release with architectural changes, new features and enhancements that
improves quality, reliability, and performance.

Features and Enhancements

1. Wireless LAN support (for CR15wi models only)

Cyberoam has introduced a new model CR15wi as a wireless security gateway with the
support of three wireless protocols called IEEE 802.11n, 802.11b and 802.11g. By
functioning as an access point, secure wireless gateway and firewall, it provides real-time
network protection and high-speed wireless connectivity without compromising performance
and cost.

Apart from the access point, by integrating with firewall, CR15wi delivers comprehensive
protection to small, remote and branch office users from threats like malware, virus, spam,
phishing, and pharming attacks.

CR15wi models, by default include one wireless interface called WLAN1. When deployed in
gateway mode it can support up to seven additional wireless interfaces while in bridge mode
no additional wireless interface can be added. Wireless interface can also act as a DHCP
server or relay for its clients.

CR15wi supports the following wireless network standards:

• 802.11n (5 GHz Band)
• 802.11b (2.4-GHz Band)
• 802.11g (2.4-GHz Band)
• WEP64 and WEP128 Wired Equivalent Privacy (WEP)
• Wi-Fi Protected Access (WPA), WPA2 and WPA2 Auto using pre-shared keys

Configuration
1. Configure Wireless LAN General Settings from Settings page. These general
configurations are common to all the access points including the default WLAN1.
2. Please note that as Wireless Interface is member of LAN zone all the firewall rules
applicable to LAN zone will be applicable to the traffic for this interface also. Appliance
Access set for the LAN will be applicable to this interface also.

2. Email Archiving (for CR15wi, CR 15i, CR25i models only)

As email being the primary communication channel, Corporate email archiving is an integral
part of the business flow. Four major reasons for an organization to archive its email are
compliance, litigation support, storage management and knowledge management. It
ensures that the organization has a centralized and accessible copy of all its email. This
provides additional protection against accidental or intentional deletion of emails by its
employees and preventing the data leakage.

With Cyberoam, Administrator can now archive all the email, emails of a specific recipient or
a group of recipients coming into the organization. This will help in preventing data leakage.
Document version –3.0-23/04/2010
 Cyberoam Release Notes

Cyberoam can archive all emails intended for a single or multiple recipients and can be
forwarded to the single administrator or multiple administrators.

Configuration
1. Configure Email Archiving rule for a single mail recipient or all the recipients and the
email address at which all the mails are to be forwarded for archiving.

3. DHCP Server Logs (for CR15wi, CR 15i, CR25i models only)

For monitoring and troubleshooting the DHCP lease traffic, Logging functionality is extended
to include DHCP Server events log. With the inclusion of DHCP Server log, Cyberoam can
now log following different network activities and traffic including: overall network traffic i.e.
firewall and traffic discovery, IPS anomaly and signature, anti virus - URL and mails
blocked, spam filtering and content filtering - access allowed and blocked.

The DHCP event log contains events that are associated with activities of the DHCP service
and DHCP server, such as DHCP leases, renewal and expiry.

As DHCP logs are included in System logs they can be viewed from System logs under Log
Viewer page of Web Admin console.

4. Firmware-based Upgrades
All the upgrades after this version will now be firmware based i.e. version can be upgraded
directly to the latest version. Firmware will be Appliance-specific and hence firmware of one
model will not be applicable on another model.
For example, if the latest released version is 10.1.0.16 and current version in your Appliance
is 10.0.0.2 then with this upgrade you will be able to directly upgrade to the latest version
10.1.0.16 instead of upgrading each intermediate version individually.

There will be support of multiple firmware residing on the appliance, so the Administrator will
be able to switch between the firmware if needed. Apart from that, upgrade and downgrade
will now also be more stable and robust as entire Operating system is converted into
bootable firmware (Starting from boot up sequence / BIOS).

5. GUI Revamp
To improvise usability, a good portion of Web UI has been re-organized. This will also
provide a more user-friendly approach to layout, menu and screens. New GUI will be based
on Web 2.0 concept and components.

6. GUI Themes
Cyberoam now provides Themes page to quickly switch between predefined themes. Each
theme comes with its own custom skin, which provides the color scheme and font style for
entire GUI i.e. navigation frame, tabs and buttons.

You can choose from 2 themes – Cyberoam Standard and Cyberoam Classic.

Configuration
The default “Cyberoam Standard” theme can be changed from Options under System menu
from Web Admin Console.

7. Role Based Access Control

To offer greater granular access control and flexibility, from this version onwards, Cyberoam
Document version –3.0-23/04/2010
 Cyberoam Release Notes

provides role-based administration capabilities.

It allows an organization to separate super administrator's capabilities and assign through

Profiles. Profiles are a function of an organization's security needs and can be set up for
special-purpose administrators in areas such as firewall administration, network
administration, logs administration. Profiles allow to assign permissions to individual
administrators depending on their role or job need in organization.

The profile separates Cyberoam features into access control categories for which you can
enable none, read only, or read-write access.

For ease of use by default, Cyberoam provides 4 profiles:

• Administrator – super administrator with full privileges
• Security Admin – read-write privileges for all features except Profiles and Log & Reports
• Audit Admin – read-write privileges for Logs & Reports only
• Crypto Admin – read-write privileges for Certificate configuration only

Configuration
1. Custom profiles can be created and managed from the Profile page of Administration
menu
2. Assign profile (created in step 1) to user from the User page of Identity menu

8. Multiple Authentication support

This feature allows administrator to configure authentication based on the type of user –
Firewall, VPN and SSL VPN and with multiple servers.

User level authentication can now be performed using local user database, RADIUS, LDAP,
Active Directory or any combination of these.

Combination of external and local authentication is useful in the large networks where it is
required to provide guest user accounts for temporary access while a different
authentication mechanism like RADIUS for VPN and SSL VPN users provides better
security as password is not exchanged over the wire.

In case of multiple servers, administrator can designate the primary and optionally the
secondary server. If primary server cannot authenticate the user then only secondary server
will try to authenticate. If secondary server cannot authenticate the user then Cyberoam
refuses the access.

By default, primary authentication method is “Local” while secondary authentication method

is “None”.

Configuration
3. Configure authentication server i.e. RADIUS, LDAP or Active Directory
4. Integrate external authentication server with Cyberoam and configure primary and
secondary authentication method for Firewall, VPN and SSL VPN traffic from
Authentication page of Identity menu from Web Admin console.

9. Thin Client Support

Cyberoam can now authenticate hosts connecting remotely through Microsoft Terminal
Server (Microsoft TSE) – Windows server 2003 and Citrix Presentation Server and apply all

Document version –3.0-23/04/2010

 Cyberoam Release Notes

the identity-based security policies to monitor and control the access.

Solution can be implemented for all the user types – HTTP, Single Sign On (SSO) and
Clientless SSO (CTAS).

Configuration
5. Download Client from http://download.cyberoam.com/beta/catc and install on Microsoft
Terminal Server (Microsoft TSE) or Citrix Presentation Server
6. Configure Cyberoam for communication between the two from CLI using the command:
cyberoam auth thin-client add citrix-ip <ip address of citrix server>

10. IM Logging and Control for Yahoo and WLM

All Instant Messaging communication happening over Yahoo IM and Windows Live
Messenger traffic can now be scanned, logged and controlled too.

Cyberoam also provides an option to enable inspection of IM traffic on non-standard ports.

For details, refer to section Traffic Inspection on non-standard port.

The feature would allow Administrators to

1. Log all communication between specific set of users, over either Yahoo or WLM.
2. Control who can chat with whom
3. Have granular control over the form of communication i.e. chat, voice or video.
4. For example, chat can be allowed between Sales and Marketing team but it can be
denied between Sales and Accounts team.

Configuration
1. Add IM contacts or IM Group for whom rules are to be created
2. Define Conversation rule to allow or deny 1-to-1 or group Chat conversation between IM
contacts added in step 1
3. Define File transfer rule to allow or deny file transfers between IM contacts added in
step 1
4. Define Webcam rule to allow or deny the usage of Web camera between IM contacts
added in step 1
5. Define Login rules to allow specific Yahoo/MSN contacts to login to their servers. By
default, access to Yahoo and MSN chat is denied to all the contacts.
6. Define content filtering rules

The scanned IM logs can be viewed from Log Viewer page.

Limitations
1. File transfer and web camera usage not supported for Windows Live Messenger v 2009
2. No support for File transfer logging
3. No file archive support
4. Yahoo traffic will be scanned only if HTTP scanning is enabled.

11. IPv6 Traffic Forwarding support

From this version onwards, Cyberoam supports forwarding of IPv6 traffic and Appliances
will be “IPv6 Ready” certified for Phase II.

IPv6 is version 6 of the Internet Protocol. It is an Internet Layer protocol for packet-switched
internetworks. It has a larger address space than standard IPv4 hence can provide billions

Document version –3.0-23/04/2010

 Cyberoam Release Notes

more unique IP addresses than IPv4. This results from the use of a 128-bit address,
whereas IPv4 uses only 32 bits. The internet is currently in transition from IPv4 to IPv6
addressing.

Cyberoam allows configuring IP address using following notations:

Standard Represent the address as eight groups of 4 hexadecimal digits
notation
For example: 0EDC:BA98:0332:0000:CF8A:000C:2154:7313

Compressed If a 4 digit group is 0000, it may be omitted.

notation
For example

3f2e:6c8b:78a3:0000:1725:6a2f:0370:6234 can be written as

3f2e:6c8b:78a3::1725:6a2f:0370:6234

4f7e:6c8b:79a3:0000:1725:0000:0370:6234 can be written as

4f7e:6c8b:79a3::1725::0370:6234

Mixed IPv4 addresses that are encapsulated in IPv6 addresses can be

notation represented using the original IPv4 ``.'' notation as follows:

For example

0:0:0:0:0:0:127.32.67.15

0:0:0:0:0:FFFF:127.32.67.15

It is also possible to use the compressed notation, so the addresses

above would be represented as:

::127.32.67.15

::FFFF:127.32.67.15

Configuration
To Implement IPv6, one simply needs to assign IPv6 IP addresses to an Interfaces
using CLI command as
cyberoam ipv6 interface Port <port number> <ip address>
E.g. cyberoam ipv6 interface PortB address add 3ffe:501:ffff:101:290:fbff:fe18:5968/64

Additional commands
1. Create Prefix list for the Interface
cyberoam ipv6 interface Port <port number> prefix add <ip address>
e.g.
cyberoam ipv6 interface PortC prefix add 3ffe:501:ffff:101::/64

2. Configure IPv6 Routing

Add Router
cyberoam ipv6 route add <ip address>

e.g. cyberoam ipv6 route add 3ffe:501:ffff:101::/64 gateway

fe80::210:f3ff:fe08:7d6c interface PortC

Document version –3.0-23/04/2010

 Cyberoam Release Notes

Configure router advertisement

cyberoam ipv6 interface Port<port number> router-adv send-adv enable

e.g. cyberoam ipv6 interface PortC router-adv send-adv enable

3. Test connection with pin6

ping6 3ffe:501:ffff:100:20d:48ff:fe36:59a4

4. Tunnel IPv6 traffic over an IPv4 network:

cyberoam ipv6 tunnel add <tunnel-name> remote-ip <ip address v4> local-ip <ip address
v6>

12. SSL VPN Updates

12.1 Application Access Mode
From this version onwards, Cyberoam now allows remote access to different TCP
applications over Application Access Mode. As application is launched in a web browser, it
offers a clientless network access.

The feature comprises of an SSL daemon running on the Cyberoam appliance and AAM
Client running at the Client side to establish a secure tunnel. AAM Client is a Java Applet
Thin client which requires JRE 1.4.2.

Application access allows remote access to different TCP based applications like HTTP,
HTTPS, RDP, TELNET e.g. telnet.exe, SSH e.g. putty, secureCRTand FTP (Passive mode)
without installing client.

Server side Configuration

1. Add Applications as Bookmarks
2. Select Application Access mode in VPN SSL policy
3. Assign policy to the User or Group

For administrators, Cyberoam Web Admin console provides SSL VPN management.
Administrator can configure SSL VPN users, access method and policies, user bookmarks
for network resources, and system and portal settings.

Prerequisite (Remote User)

For remote users, customizable End User Web Portal enables access to resources as per
the configured SSL VPN policy.
• Microsoft Windows supported – Windows 2000, Windows XP, Windows 7, Windows
Vista and Windows Server 2003.
• Admin Rights Required – Remote user must be logged on as Admin user or should
have Admin privilege.
• JRE Installation – Java Runtime Environment V 1.5 or below.

12.2 Save User Credential option for Remote Users

To remove the hassles to type username and password every time for login, option to save
username and password is provided on the SSL VPN client.

12.3 Auto-start SSL VPN connection

Auto-start SSL VPN option is provided to automatically establish the SSL VPN connection
whenever Client system starts. One needs to save username and password to enable auto-
start functionality.

Document version –3.0-23/04/2010

 Cyberoam Release Notes

13. 3G device support on WAN

With introduction of 3G (Third Generation) support, Cyberoam now delivers twin protection
for high-speed secure wireless WAN (WWAN) combined with high-performance UTM. It not
only secures the wireless connection but also inspects and encrypts the traffic over the
wireless network. Hence, Cyberoam now supports set of security policies over both wired as
well as wireless networks.

It works with wireless access points from any vendor to provide security and hence achieve
broadband connectivity via high-speed wireless networks where wired-broadband
connections are not available.

The WWAN can be used by:

1. People constantly on the road for business or pleasure and cannot be without web
connection
2. Ideal for users away from home needing to connect virtually anywhere in their coverage
area
3. Temporary network where pre-configured connection is not available like trade-shows
4. Mobile and cellular networks to utilize cellular technology to securely transfer data or
connect to the Internet
5. WAN failover connection

Wireless WAN support requires a contract with a wireless service provider. Check Appendix
A for supported wireless service providers.

Configuration
1. Pre-requisite – Cyberoam deployed in gateway mode
2. Enable WWAN from CLI with command: cyberoam wwan enable
3. Re-login to Web Admin console
4. Configure WWAN Interface settings from Network > Wireless WAN > Settings page
5. Once the connection is established, system host - #WWAN1 and WWAN1 Interface will
be automatically added with the IP address 0.0.0.0 and
6. As WWAN1 Interface will be the member of WAN zone, all the firewall rules configured
for the WAN zone will be applicable to WWAN1 Interface.
7. Additional firewall rules can be configured for host - #WWAN1

14. Integration with Cyberoam-iView for Logging and Reporting

Cyberoam is now integrated with Cyberoam-iView to offer wide spectrum of 1000+ unique
user identity-based reporting across applications and protocols and provide in-depth
network visibility to help organizations take corrective and preventive measures.

It provides network administrators with the information they need to enable the best
protection and security for their networks against attacks and vulnerabilities.

Cyberoam Administrator can also choose to restrict visibility of logs and reports to an
administrator who manages Cyberaom-iView through Role base Access Control. For
example, create a profile with read-write access for Log & Reports pages and assign to an
Administrator who is required to manage reports through Cyberoam-iView. This feature can
be very useful in an MSSP scenario.

Cyberoam-iView can be accessed by clicking “Reports” on the topmost button bar on each
page or from View Reports page under Logs & Reports menu.

Administrator has to login to Cyberoam-iView with the default username & password for
Cyberoam-iView – admin, admin and not with the Cyberoam username and password.

Document version –3.0-23/04/2010

 Cyberoam Release Notes

15. Customer My Account Portal for Registration & Subscription

Customer My Account portal (http://customer.cyberoam.com) now supports creation of
Customer Account and registration of the Appliance and allows to subscribe to various
modules. In the earlier versions, one had to do register and subscribe from the Appliance
itself. One can also register additional appliance through the portal itself.

Two step process

8. For creation of customer account and registration of appliance, “Registration” option is
provided on the home page while to subscribe for modules, one has to login from the
home page with the credential - email id and password, set at the time of creating
customer account.
9. Synchronize the registration and subscription details on Appliance from Web Admin
console.

16. External Authentication support for Administrator

Cyberoam Administrators can now be authenticated by the external authentication server -
RADIUS, LDAP, Active Directory. With the support of configuring multiple authentication
servers, it is also possible to configure combination of external and local authentication for
the administrators.

In case of multiple servers, administrator can designate primary and optionally the
secondary server. If primary server cannot authenticate the user then only secondary server
will try to authenticate. If secondary server also cannot authenticate the user then Cyberoam
refuses the access.

By default, primary authentication method is “Local” while secondary authentication method

is “None”.

17. Support to mitigate HTTP-based DDos Attack

DoS attacks to Web services known as HTTP flood attack pose a serious threat to Web site
owners and hosting providers. In this type of attacks, malicious clients send a large number
of HTTP-GET requests to the target Web server automatically making it difficult or
impossible for legitimate visitors to access it, disrupt server operation and apparently cause
costly data transfer and bandwidth overages and can negatively impact the confidence of
that site's visitors, doing incalculable damage to the site's reputation.

While simplistic packet-based attacks can be more easily mitigated upstream, with an
HTTP-based attack it is often difficult to distinguish attack traffic from legitimate HTTP
requests as these HTTP-GET requests have legitimate formats and are sent through normal
TCP connections. Hence, Intrusion Detection Systems also cannot detect them.

To detect such attacks, Cyberoam identifies such attacks based on rate of HTTP requests
per source IP or number of HTTP requests per TCP connection. Number of requests higher
than the configured rate is considered as attack and the traffic is from the said source is
dropped. One can either configure allowed number of connections or for granular controls
can configure allowed number of requests per Method – GET and PUT.

Configuration
From CLI, set number of connections and HTTP method with the commands:
set http_proxy dos add connection <number of connections>
set http_proxy dos add method <GET | POST> <number of requests>

18. Traffic Inspection on non-standard ports

By default, Cyberoam inspects all inbound HTTP, HTTPS, FTP, SMTP, POP and IMAP
Document version –3.0-23/04/2010
 Cyberoam Release Notes

traffic on the standard ports. However, many applications scan for open ports for malicious
purposes. For example, worms and trojans often use non-standard HTTP port to pass
remoet commands and fetch data from remote sites. For phishing attempts, fraudulent
websites hosted on non-standard HTTP ports to lure customers to submit and disclose their
personal information.

To protect from such attacks, Cyberoam now provides option to enable inspection of HTTP,
HTTPS, FTP, SMTP, POP, IMAP, IM – MSN and Yahoo traffic on non-standard port also.

Configuration
From CLI, use the command
set service-param <service> <add | delete> <port number>

1. Maximum 16 ports can be configured per service

2. Same port cannot be configured for across the services e.g. if HTTP is configured for
port 8080 then it cannot be configured for any other service.
3. Following default ports cannot be configured for any services: 21, 25, 80, 110, 143

19. Protection of BGP Sessions via the TCP MD5 Signature

Since BGP uses TCP as its transport protocol, it is vulnerable to all security weaknesses of
the TCP protocol itself. For a determined attacker, it is possible to forcibly close a BGP
session or even hijack it and insert malicious routing information into the BGP data stream.

TCP MD5 Signature is used to secure the BGP session and protect against the introduction
of spoofed TCP segments into the connection stream and connection resets.

MD5 checksum added to every packet of a TCP session makes it difficult for the attacker as
to hijack the session MD5 key as well as TCP sequence number is needed.

Configuration
From CLI console, go to menu Option 3. Route Configuration > 1. Configuration Unicast
Routing > 3. Configure BGP
At the prompt, using the following command to enable MD5 support:
enable
configure terminal
router bgp <AS number>
network <network>
neighbor <neighbor address> remote remote-as <AS no of neighbor BGP router>
neighbor <neighbor address> password < MD5 Key >

Currently only ipv4 address are supported.

20. Module level Logging capability

From this version, it will be possible to view logs - Admin, Antivirus, Antispam,
Authentication, Firewall, IPS, IM, System, Web Filter, from the Web Admin console. To help
diagnose the problem, all the configuration changes will also be logged.

21. Miscellaneous Enhancements

21.1 100+ Applications filter support
Cyberoam’s application layer filtering allows enterprises to have advanced control over

Document version –3.0-23/04/2010

 Cyberoam Release Notes

applications and network protocols. Rather than controlling access through IPS signatures,
Cyberoam has added 100+ categories to mitigate the risk from unauthorized applications
and reduce bandwidth cost by controlling access to these applications.

One can control access of hundreds of Applications that grouped as per the usage e.g.
Instant Messengers like Yahoo Messenger, QQ Messenger , Gtalk, Webmail Chat Attempt
etc. are grouped under IM category.

21.2 Web filter support

Cyberoam provides web filtering as a means to control access over the Internet use and
improvise on network security and employees productivity.

Cyberoam groups hundreds of web sites into default categories and allows to add custom
category as per the network requirement to prevent the access to malicious sites, protect
your network from malware, worms, spyware, trojans etc.

Cyberoam also allows allocating bandwidth based on the Web category apart from
allocating and prioritizing bandwidth based on users. It will not only improve the network
productivity by limiting the bandwidth used by the recreational applications but also
guarantee the performance of the critical business application.

21.3 Configurable Automatic Updates of Web Categories & IPS Signature

database
Automatic updates of Web categories and IPS signature database can now be disabled. By
default they are enabled and can be disabled from System > Maintenance > Updates page
of Web Admin console.

21.4 Support for Firewall rule Name

In the networks where more number of firewall rules are required, it became difficult to
identify the firewall rule with its numbered ids. Hence, to easily identify the firewall rule, they
can now be named like all other security policies of Cyberoam.

21.5 Appliance Management from Dashboard

For ease of use, rebooting appliance and shutting down appliance option are provided on
Dashboard. In version 9.x, one had to either do it from Manage Server page of Web Admin
console or CLI.

21.6 Global Administrator support

Apart from the default super admin “cyberoam”, Cyberoam is now shipped with one global
superadmin with the credentials – username & password as “admin”. Both the consoles –
Web Admin console and CLI, can be access with the same credentials. This administrator is
always authenticated locally i.e. by Cyberoam itself. We recommend changing the password
for this username immediately after deployment.

In case multiple external authentication servers are configured and both the servers go
down, Administrator will not be able to access Web Admin console with default admin
“cyberoam”. In such situation, administrator can login with credentials admin/admin.

21.7 Captive Portal page components customization support

As Captive Portal is an entry point to the Corporate network, Cyberoam provides flexibility to
customize the Portal page to offer consistent logon/log off page. This page can be exclusive
to your business including your business name and logo. It also provides flexibility to
customize page color scheme as per your company’s Website.

Document version –3.0-23/04/2010

 Cyberoam Release Notes

21.8 Packet Capture log

Packet Capture log now includes details of all the packets and not just the Denied packets
details.

21.9 Automatic Certificate regeneration on modification

21.10 Appliance Access bypass check (for CR15wi, CR 15i, CR25i models
only)
To override or bypass the configured Appliance Access and allow access to all the
Cyberoam services, from CLI execute command as:
console> cyberoam appliance_access enable

Disable to reapply Appliance Access.

By default, it is disabled.
Enable and disable event will be logged in Admin Logs.

Feature removed
1. CLI option “Remove Firewall Rules” (for CR15wi, CR 15i, CR25i models
only)

Document version –3.0-23/04/2010

 Cyberoam Release Notes

General Information

Technical Assistance
If you have problems with your system, contact customer support using one of the following
methods:
Email id: support@cyberoam.com
Telephonic support (Toll free)
• APAC/EMEA: +1-877-777- 0368
• Europe: +44-808-120-3958
• India: 1-800-301-00013
• USA: +1-877-777- 0368

Please have the following information available prior to contacting support. This helps to
ensure that our support staff can best assist you in resolving problems:
• Description of the problem, including the situation where the problem occurs and its
impact on your operation
• Product version, including any patches and other software that might be affecting the
problem
• Detailed steps on the methods you have used to reproduce the problem
• Any error logs or dumps

Technical Support Documents

Knowledgebase: http://kb.cyberoam.com
Documentation set: http://docs.cyberoam.com

Document version –3.0-23/04/2010

 Cyberoam Release Notes

Change Log

Revision Topic Description

1.0 Initial Release
2.0 Email Archiving, Added support for Cyberoam CR15wi
DHCP Server models
Logs, Wireless
LAN
3.0 DHCP Server Added support for Cyberoam CR15i
Logs, Wireless models
LAN

Document version –3.0-23/04/2010

 Cyberoam Release Notes

Important Notice
Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented
without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any
products. Elitecore assumes no responsibility for any errors that may appear in this document. Elitecore reserves the
right, without notice to make changes in product design or specifications. Information is subject to change without
notice.

USER’S LICENSE
The Appliance described in this document is furnished under the terms of Elitecore’s End User license agreement.
Please read these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to be
bound by the terms and conditions of this license. If you do not agree with the terms of this license, promptly return the
unused Appliance and manual (with proof of payment) to the place of purchase for a full refund.

LIMITED WARRANTY
Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on
which the Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the
Software substantially conforms to its published specifications except for the foregoing, the software is provided AS IS.
This limited warranty extends only to the customer as the original licenses. Customers exclusive remedy and the entire
liability of Elitecore and its suppliers under this warranty will be, at Elitecore or its service center’s option, repair,
replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the software to the
customer. In no event does Elitecore warrant that the Software is error free, or that the customer will be able to operate
the software without problems or interruptions. Elitecore hereby declares that the anti virus and anti spam modules are
powered by Kaspersky Labs and Commtouch respectively and the performance thereof is under warranty provided by
Kaspersky Labs and Commtouch. It is specified that Kaspersky Lab does not warrant that the Software identifies all
known viruses, nor that the Software will not occasionally erroneously report a virus in a title not infected by that virus.

Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and
electrical components will be free from material defects in workmanship and materials for a period of One (1) year.
Elitecore's sole obligation shall be to repair or replace the defective Hardware at no charge to the original owner. The
replacement Hardware need not be new or of an identical make, model or part; Elitecore may, in its discretion, replace
the defective Hardware (or any part thereof) with any reconditioned product that Elitecore reasonably determines is
substantially equivalent (or superior) in all material respects to the defective Hardware.

DISCLAIMER OF WARRANTY
Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including,
without limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising
from a course of dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law.

In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect,
consequential, incidental, or punitive damages however caused and regardless of the theory of liability arising out of
the use of or inability to use the product even if Elitecore or its suppliers have been advised of the possibility of such
damages. In no event shall Elitecore’s or its supplier’s liability to the customer, whether in contract, tort (including
negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations shall apply even if the above
stated warranty fails of its essential purpose.

In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages,
including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual,
even if Elitecore or its suppliers have been advised of the possibility of such damages.

RESTRICTED RIGHTS
Copyright 1999-2010 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of
Elitecore Technologies Ltd.

CORPORATE HEADQUARTERS
Elitecore Technologies Ltd.
904 Silicon Tower,
Off. C.G. Road,
Ahmedabad – 380015, INDIA
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.elitecore.com, www.cyberoam.com

Document version –3.0-23/04/2010